Wiz's Computer and Website Security Blog

The newest version of the Conficker Worm, a.k.a. Downadup, said to have already infected over 10 million PCs, is programmed to begin contacting a huge list of new domain names, beginning on April 1, 2009. Each PC that is currently infected with the most recent variant of this Worm will begin generating a list of 50,000 domain names, many of which might be registered by the criminals behind this Worm. It will then pick names it generates on each infected computer and try to contact that domain, for further instructions, or program updates. If those domains are in fact active and under the control of the Botmasters running the Conficker Worm, updates will be sent to all of the PCs making contact on, or after April 1. Those updates are probably going to make it more difficult to disinfect these PCs, or to contact any security websites for malware removal tools.

If you are not already infected it is because you took the proper preventative measures last October 23, 2008. That was the date that Microsoft released a sudden, out-of-cycle critical update, in security bulletin MS08-067 and Windows Update patch kb958644, which plugged a vulnerability in the Windows Server Service. That vulnerability is what was exploited by the first two releases of the Conficker Worm (Conficker.A and .B). Since most Windows users who run legitimate copies of Windows have set their computers to receive and apply Automatic Windows Updates, they were protected when the Worm was first released in the wild, in November, 2008.

However, people who turned off Automatic Updates because they don't trust Microsoft updates, or because they are using pirated copies of Windows and don't want to get nagged about it, probably got hit by this Worm, soon after its release. The highest percentages of Conficker infections occurred in countries with the highest numbers of pirated Windows operating systems. These nations include China, Russia, Argentina, and Brazil.

I would like to point out that there is another group of vulnerable people, who may not realize that they are critically exposed to the Conficker Worm (and the likes). These are legitimately licensed users of Windows XP, or newer, who had to reinstall their operating systems to fix other problems or malware infections, any time after the MS08-067 patch was released. If you let any significant time elapse between reinstalling Windows and then obtaining all available patches, especially MS08-067, you could have been exposed to a Conficker attack and possibly been infected and don't know it yet (not likely - the Worm causes noticeable trouble on a PC). This is why I always make my first Internet connection after validation to Windows Updates (repeatedly, until all patches have been installed)!

If you want to know if your Windows PC is infected just try to go to Windows Updates, either via the link in your Start Menu, or using the link in Internet Explorer, under Tools. If you can't open Windows Updates at all, but can visit other non-security related websites (Yahoo, MSN, CNN, etc), you just may be Confickered. To find out for sure you should run scans with any anti virus software you have installed. Try to update it first, before scanning. If you are already infected with Conficker.B, or Conficker.C, you will not be able to update most anti virus definitions at all. This is caused by the Worm denying access to any website run by any major security vendor.

If this is the case for your PC(s) there is a downloadable Conficker Removal Tool available from Bit Defender, that removes Conficker A, B and C variants. The removal tool is available here. There is also an online scanner on the landing page, which you can run to see if you are indeed infected. If the Bit Defender page is inaccessible, here is the URL for the online scanner: http://91.199.104.31

Note, that licensed users of Trend Micro Internet Security products are already protected against the Conficker threats.

I will have more to tell you about this Worm after tomorrow comes and goes. We will see what we shall see!

Posted by Wiz at 7:08 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam (to my honeypot accounts) is still way down from last fall, thanks to the efforts of security companies, who have tirelessly pursued the server colocation facilities used by spammers to command and control spam-sending Botnets and then shut them down or get spam accounts terminated. Those spammers are rebuilding or replacing their Botnets as I type this, so let's not become complacent. In fact, my spam count has been slowly increasing since the third week of January, 2009. This may be by design, as spammers are known to occasionally whitelist honeypot email accounts, to avoid detection.

If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. The interesting fact about those two rules is that the same forged domain name prefix is used on both sides of the @ symbol. So, if you see an incoming email with a sender listed as kefsomedomaindiz@somedomain.com it will match that rule.

MailWasher Pro spam category breakdown for March 23 - 29, 2009. Spam amounted to 8% of my incoming email this week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 4:10 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. This week's updates were released on schedule on March 25, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also today, the Tea Timer module was updated to version 1.6.6. If you use the Spybot Tea Timer you should install this update (as an administrator).

Additions made on March 25, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ CMVideo
+ Fraud.Downloader.gen
+ Fraud.MalwareDefender2009
+ Fraud.SystemGuard2009
+ Fraud.TotalAntispyware
+ Spambot.mib

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ GameVance

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Fraud.VirusRemover2009
+ SpambotLoad.cn (Botnet)
+ Virtumonde.sci
+ Virtumonde.sdn
+ Waledac.cn (Botnet)
+ Win32.Koutodoor.aik
+ Win32.Poison.pg
+ Win32.Small.ajbq
+ Win32.Small.NCA
+ Win32.TDSS.rtk (Rootkit)
+ Win32.Virut.bg

Total: 1525689 fingerprints in 484951 rules for 4580 products.

False positive detections reported or fixed this week:

A false positive detection was reported in Tea Timer, of Ardamax, in the Windows System file Cleanmgr.exe. It is being investigated.

There was a confirmed false positive detection of "Italian Frameless" in Microsoft Office OutlookConnector.exe. It is being investigated.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the Tea Timer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.

Extended Comments

Various reports from the Internet and from Safer-Networking's own testing seem to indicate that there is a problem between Internet Explorer 8 and the immunization feature of Spybot - Search & Destroy, causing a slow startup of IE 8. It is caused by the large number of websites added to the browser's Restricted Sites Zone. This is being worked on by Team Spybot.

Team Spybot has changed the name of the Spybot S&D setup file. The installer file that is downloaded to the desktop during a main update (to allow you to see the file and store it elsewhere if you want) is now named setup-spybotsd162.exe instead of spybotsd162.exe to avoid confusion with the regular Spybot... start link. The new naming convention should continue with future releases.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the new detections, by its name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

The domain "Spywareinfo.com" and TrafficZ was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

Note for Firefox users who saved links to the old spywareinfo website:
It has recently (Feb/09) been reported that in some versions of Spybot S&D, on some operating systems, if you have a link to the old spywareinfo website, now owned by purveyors of fake anti spyware products and scanners, "fixing" it will erase your entire Bookmarks.html file. This is being looked into right now and hopefully will be fixed real soon. In the meantime, if you use Firefox as your browser (which stores Favorite places as "Bookmarks") and after running a scan Spybot lists an infected bookmark with Spywareinfo as the culprit, uncheck that entry before fixing any other problems. You can manually edit your Firefox Bookmarks to remove the link to that website, or any similar compromised website.

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6.2, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 2:16 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam (to my honeypot accounts) is still way down from last fall, thanks to the efforts of security companies, who have tirelessly pursued the server colocation facilities used by spammers to command and control spam-sending Botnets and then shut them down or get spam accounts terminated. Those spammers are rebuilding or replacing their Botnets as I type this, so let's not become complacent. In fact, my spam count has been slowly increasing since the third week of January, 2009. This may be by design, as spammers are known to occasionally whitelist honeypot email accounts, to avoid detection.

If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. The interesting fact about those two rules is that the same forged domain name prefix is used on both sides of the @ symbol. So, if you see an incoming email with a sender listed as kefsomedomaindiz@somedomain.com it will match that rule.

MailWasher Pro spam category breakdown for March 16 - 22, 2009. Spam amounted to 8% of my incoming email this week. This represents a 3% decrease from last week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 3:21 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. This week's updates were released on schedule on March 18, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also today, the Tea Timer module was updated to version 1.6.6. If you use the Spybot Tea Timer you should install this update (as an administrator).

Additions made on March 18, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.Antivirus2008
+ Fraud.Sysguard
+ Fraud.SystemGuard2009
+ Fraud.SystemSecurity
+ Win32.WiniGuard

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Banload
+ Fraud.AntiSpyware2008XP
+ Fraud.XPShield
+ Virtumonde.atr
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.bm
+ Win32.CPEX.f
+ Win32.Delf.acv
+ Win32.Gobot.y (Botnet)
+ Win32.TDSS.rtk (rootkit)
+ Win32.ZBot (Botnet)

Total: 1478612 fingerprints in 468339 rules for 4570 products.

False positive detections reported or fixed this week:

A false positive detection of Cydoor and Virtumonde has been reported in the updated (1.6.6) Tea Timer module, for the recently updated Adobe Reader 9.1 installer for Adobe Air. The actual file wrongly flagged is Airshareinstaller.exe. It is still being investigated to find out why this happened.

There was a confirmed false positive detection of "MalwareC" in a ComboFix file named swxcacls.exe. ComboFix is a specialized tool used in malware removal forums. It removes malware. This has been fixed with today's F/P updates.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the Tea Timer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.

Extended Comments

Team Spybot has changed the name of the Spybot S&D setup file. The installer file that is downloaded to the desktop during a main update (to allow you to see the file and store it elsewhere if you want) is now named setup-spybotsd162.exe instead of spybotsd162.exe to avoid confusion with the regular Spybot... start link. The new naming convention should continue with future releases.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the new detections, by its name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

The domain "Spywareinfo.com" and TrafficZ was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

Note for Firefox users who saved links to the old spywareinfo website:
It has recently (Feb/09) been reported that in some versions of Spybot S&D, on some operating systems, if you have a link to the old spywareinfo website, now owned by purveyors of fake anti spyware products and scanners, "fixing" it will erase your entire Bookmarks.html file. This is being looked into right now and hopefully will be fixed real soon. In the meantime, if you use Firefox as your browser (which stores Favorite places as "Bookmarks") and after running a scan Spybot lists an infected bookmark with Spywareinfo as the culprit, uncheck that entry before fixing any other problems. You can manually edit your Firefox Bookmarks to remove the link to that website, or any similar compromised website.

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6.2, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 11:29 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam is still way down from last fall, thanks to the efforts of security companies, who have tirelessly pursued the server colocation facilities used by spammers to command and control spam-sending Botnets and then shut them down or get spam accounts terminated. Those spammers are rebuilding or replacing their Botnets as I type this, so let's not become complacent. In fact, my spam count has been slowly increasing since the third week of January, 2009.

If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. These two blacklist rules caught over 22% of this week's spam. The interesting fact about those two rules is that the same forged domain name prefix is used on both sides of the @ symbol. So, if you see an incoming email with a sender listed as kefsomedomaindiz@somedomain.com it will match that rule.

MailWasher Pro spam category breakdown for March 9 - 15, 2009. Spam amounted to 11% of my incoming email this week. This represents a 1% decrease from last week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 11:35 PM | Permalink

back to top ^

From the security desk of Wiz Feinberg
March 11, 2009

On March 9 and 11, Foxit then Adobe released patched, updated versions of their PDF readers, responding to critical vulnerabilities, like the JBIG exploit, currently being exploited in the wild. Until the Foxit patch was announced on the 9th, many people believed that it was a safe alternative to the Adobe Reader. Not so. The Adobe exploits are targeting all Reader and Acrobat versions 7, through 9.0.

Foxit has patched three critical vulnerabilities with version 3.0 Build 1506. You can download the latest patched Foxit PDF Reader here. Interestingly, Foxit was only notified about these exploitable vulnerabilities a few weeks ago, in mid-February and were able to push out a patch in a short time.

Adobe, on the other hand, has been aware of the vulnerabilities in it's PDF Reader and Acrobat PDF encoder for three months (since early January 2009) and just today released the patch. When these security concerns were publicized Adobe recommended disabling JavaScript and browser plug-in functions in the Adobe Reader and in Acrobat. However, it was later demonstrated in a lab test at Secunia that Reader and Acrobat are still exploitable with these functions disabled. The patched versions released on March 11 finally plugs the holes that allow these exploits to occur. JavaScript and displaying a pdf in your browser can now be re-enabled, after you upgrade to Adobe Reader and Acrobat 9.1. Older Readers version 7 and 8 x will be patched on March 18, 2009.

You can download the current version of Adobe Reader here. This Adobe page has links to patch your version of Adobe Acrobat.

Adobe has published a security bulletin about the vulnerabilities affecting its Reader and Acrobat software, with the dates the vulnerabilities were announced and the release dates for the patches. This page goes far back and shows how they have responded to exploitable weaknesses for years.

If you missed the news, Adobe also released a patched version of Adobe Flash Player, on February 24, 2009. Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

The risk of browsing the Internet or opening emails containing links to or attachments containing rigged Flash and PDF files, without being fully patched against the exploit codes, is total system compromise. There have been malicious Flash banner ads released through some affiliate ad services that are capable of redirecting your browser to a hostile web server, where it will attempt to forceably and invisibly download exploit codes to your computer, if you have installed a vulnerable version of Flash Player, or Adobe (PDF) Reader or Acrobat.

You can scan your PCs online at Secunia.com, using their Online Software Inspector tool. It requires Java to operate and will report on any missing Windows patches, as well as any left over insecure versions of third party applications, like Flash, Reader and Java. It provides direct download links to obtain the latest patched versions, plus shows you the exact path to the old, exploitable versions still installed on your PC. I use it and recommend you do so every week, say on Tuesday evenings (after Windows Updates are released on Patch Tuesdays). It usually takes under a minute to complete the online scans. You must uninstall old software and install the updates yourself.

Posted by Wiz at 8:32 PM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. Today's updates were released on schedule on March 11, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Also today, the Tea Timer module was updated to version 1.6.6. If you use the Spybot Tea Timer you should install this update (as an administrator).

Additions made on March 11, 2009:
Adware
+ eZula HotText

Keyloggers
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ CMVideo
+ Fraud.Antivirus2010
+ Fraud.MSAntispyware2009
+ Fraud.SpywareGuard2008
+ Fraud.SystemGuard2009
+ MalwareRemovalBot
+ TotalVirusProtection
+ Vrl32software
+ Win32.Autoit.D
+ WinSpywareProtect
+ XPPoliceAntivirus

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Bredolab.B
+ Win32.Brontok.q
+ Win32.Lost.jau
+ Win32.Mudrop.kt
+ Win32.TDSS.bae
+ Win32.TDSS.rtk (TDSS is a Rootkit)
+ Win32.VB.cb

Total: 1453845 fingerprints in 460163 rules for 4584 products.

False positive detections reported or fixed this week:

Confirmed false positive detection of Mizuphone classed as a casino dialer This was fixed with today's updates.

A confirmed wrong detection of Virtumonde detected in C:\windows\system32\zipfdr.dll is due to users having older versions of Spybot S&D. Please upgrade to the current version, 1.6.2, download the newest definitions and F/F updates, then scan your system. These false positives should be gone (unless you really are infected!).

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the Tea Timer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.

Extended Comments

Team Spybot has changed the name of the Spybot S&D setup file. The installer file that is downloaded to the desktop during a main update (to allow you to see the file and store it elsewhere if you want) is now named setup-spybotsd162.exe instead of spybotsd162.exe to avoid confusion with the regular Spybot... start link. The new naming convention should continue with future releases.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the new detections, by its name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

The domain "Spywareinfo.com" and TrafficZ was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

Note for Firefox users who saved links to the old spywareinfo website:
It has recently (Feb/09) been reported that in some versions of Spybot S&D, on some operating systems, if you have a link to the old spywareinfo website, now owned by purveyors of fake anti spyware products and scanners, "fixing" it will erase your entire Bookmarks.html file. This is being looked into right now and hopefully will be fixed real soon. In the meantime, if you use Firefox as your browser (which stores Favorite places as "Bookmarks") and after running a scan Spybot lists an infected bookmark with Spywareinfo as the culprit, uncheck that entry before fixing any other problems. You can manually edit your Firefox Bookmarks to remove the link to that website, or any similar compromised website.

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6.2, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 1:22 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam is still way down from last fall, thanks to the efforts of security companies, who have tirelessly pursued the server colocation facilities used by spammers to command and control spam-sending Botnets and then shut them down or get spam accounts terminated. Those spammers are rebuilding or replacing their Botnets as I type this, so let's not become complacent. In fact, my spam count has been slowly increasing since the third week of January, 2009.

If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. These two blacklist rules caught over 22% of this week's spam. The interesting fact about those two rules is that the same forged domain name prefix is used on both sides of the @ symbol. So, if you see an incoming email with a sender listed as kefsomedomaindiz@somedomain.com it will match that rule.

MailWasher Pro spam category breakdown for March 2 - 8, 2009. Spam amounted to 12% of my incoming email this week. This represents a 6% decrease from last week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 4:05 PM | Permalink

back to top ^

Many of my regular visitors to this website (www.wizcrafts.net/) are aware of the fact that I maintain and publish, for free, various IP address blocklists. In fact, a lot of you are using one or more of these lists to protect your websites and forums from scammers, spammers, content thieves and exploits. If you are benefiting from using my blocklists I could sure use your help, in the form of PayPal Donations, in any amount you can afford.

All of the blocklists come in two forms: Apache .htaccess and Linux iptables. I'll discuss the differences later in this article. Note, that there is no real difference between a "blocklist" and a "blacklist" and while some people interchange them, blocklist is the correct technical term for ip and "host name" lists used to block access to a web server. Also, my IP blocklists are specifically formatted for use on Linux or Unix (or equivalent) operating systems and Apache web servers. The Apache web server is totally free and is the most widely deployed web server on the Internet.

It is my understanding that websites hosted on Windows IIS Servers can import the IP ranges into a special IIS configuration file, possibly only line by line, but I don't know the details. Ask your web host or server administrator if they can convert long .htaccess or iptables blocklists into Windows IIS format.

My earliest and most famous blocklist is the Nigerian Blocklist, which I began compiling during the summer of 2005. It came about as the result of me being a member of a specialty interest group buy and sell forum that was invaded by Nigerian 419 scammers. Soon there were wholesale reports of multiple daily scam messages being received by sellers on that forum. I asked the owner a few technical questions about the server and proceeded to begin compiling a flow of forwarded-as-attachments scam emails from the members, which contained the originating IP addresses of the scammers, in the headers. I researched each address to trace the ISP to which that IP was assigned and then discovered the full CIDR assigned to them. These IP CIDRs were accumulated into what soon became the Nigerian Blocklist, for use as a .htaccess file, on the forum's Apache-based server.

Today, about three and a half years later, webmasters around the World apply my Nigerian Blocklist to their .htaccess file, or iptables firewalls, keeping Nigerian and other African 419 scammers from conning their members out of their money and sometimes goods, as well. Many of these scams targeting sellers involved overpayment with a counterfeit cashiers' check, or Postal Money Order, with the seller refunding the difference by Western Union. It wasn't usually until two weeks had passed that the banks began notifying victims that they had deposited counterfeit checks and the victims were responsible for repaying the full amount to their bank. Yes, it really can take that long to find out if a cashiers' check is counterfeit, or drawn on a closed account.

This work began evolving in the beginning of 2007 to cover other types of hostile actions aimed at my websites, including, form, log and blog spam, content theft, hacking probes and server exploit attacks and the work continues to this day. Each day I read through my raw access logs and use special software and regular expressions to separate hostile contacts from legitimate ones. After performing Whois lookups of the more frequent IP abuses I add their ISP or web hosting, or dedicated server leasing company to the appropriate blocklist and publish the updates. You'd be amazed at the sheer number of exploited servers being used to launch attacks against other servers, every day!

As of now I maintain four different blocklist, each available in both .htaccess and iptables formats. Webmasters who lease space on shared hosting servers are limited to using the .htaccess blocklists. These lists contain "directives" interpreted by an Apache web server, to control access to any, or all of your web pages. This is all they are able to block. They cannot stop spammers from sending email to your email server, hackers from trying to ftp into your account - and try tp crack your password. To block these things requires applying IP blocklists and individual offending IP addresses to the Linux automatic policy firewall, which protects your server box itself. Only a system administrator can do such things, so, if you rent a dedicated server you will have "Root" access. Some "VPS" servers also contain a mini-operating system for each account, allowing root access to the underlying operating system and firewall.

The different types of web hosting accounts can be confusing at first, so I maintain a web page all about web hosting. Yes it has links to commercial companies, and yes I will make a commission when somebody signs up through my links and banners. This is not a crime. It is a way to help offset to costs of hosting and updating my websites. I have to eat like the rest of you all!

I have created two landing pages to help new users determine which blocklists are best for their use and level of server privileges. If you only have .htaccess permissions, please visit my Htaccess Blocklists page. If you have Root access to the Linux firewall, please look at my Iptables Blocklists page. Each links to four different blocklists: Chinese-Korean, Exploited-Hostile Servers, Nigerian-African and Russian-Turkish blocklists. And, each landing page also has PayPal Donation buttons, which I hope some of you will be kind enough to use.

Further, each page on my website has a link to contact me, the Webmaster, to send reports of new IP addresses assigned to ISPs and servers used by forum spammers, blog and form scammers and server exploiters.

In closing, thanks to those who are already making occasional donations, as well as those of you who will in the future. I thank you from the bottom of my heart!

PS: I am available for hire as a website security consultant and can install and manage blocklists for you, on a contract, or as needed basis. See my Webmaster Services page for more details about my Webmaster services.

Posted by Wiz at 2:17 AM | Permalink

back to top ^

If you use Spybot Search and Destroy to protect your computer against spyware, it is time again to run your manual updates. New definitions and false positive fixes are usually released every Wednesday. Today's updates were released on schedule on March 4, 2009, as listed below.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers.

When all updates have succeeded, click on "Exit." With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. After immunizing against unwanted items you should click on the Search &Destroy icon, on the left, then click "Check for problems," on the right side.

It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them.

Additions made on March 4, 2009:

Hijackers
+ Hyperlinker

Keyloggers
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.SystemAntivirus
+ RegistryFox
+ Win32.Agent.pn
+ Win32.Beloy.a

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ QuadRegistryCleaner

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Bagle.dlj
+ Virtumonde.atr
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.fox
+ Win32.Agent.lpb
+ Win32.Agent.mds
+ Win32.Agent.sd
+ Win32.Banload.aoo
+ Win32.Brontok.q
+ Win32.IRCBot.bkr
+ Win32.TDSS.bae (TDSS is a nasty rootkit!)
+ Win32.TDSS.clt
+ Win32.TDSS.dy
+ Win32.TDSS.mlt
+ Win32.TDSS.rtk
+ Win32.TDSS.tit
+ Win32.TDSS.vot
+ Win32.VB.fnk

Total: 1438055 fingerprints in 454664 rules for 4587 products.

False positive detections reported or fixed this week:

Confirmed false positive detection of "Win32.Agent.wls" is being reported as hiding in the registry under PGP encryption software's keys This was fixed with today's updates.

A confirmed wrong detection of Virtumonde detected in C:\windows\system32\zipfdr.dll is due to users having older versions of Spybot S&D. Please upgrade to the current version, 1.6.2, download the newest definitions and F/F updates, then scan your system. These false positives should be gone (unless you really are infected!).

Oh boy! Here we go; get on your hard hats!

Spybot S&D is now flagging installations of McAfee and Trend Micro security software as "PUPs, or Potentially Unwanted Programs (see this forum thread). This was done in retaliation against those companies for requiring their customers to uninstall Spybot while installing their products. Team Spybot has tested its program with both of these security suites, and others, and finds no evidence of any incompatibilities or struggles between them.

If you have purchased McAfee, Symantec, or Trend Micro security suites (which are very good products) and they ask you to uninstall Spybot, or do so without your option to refuse, simply reinstall Spybot afterward. But, I recommend not activating the Tea Timer module in Spybot S&D, as this will cause a struggle over which program monitors the system for realtime changes.

Extended Comments

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the new detections, by its name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

The domain "Spywareinfo.com" and TrafficZ was recently added to the HOSTS file updates (for redirection to 127.0.0.1), because the domain name expired and was purchased by spammers or malware distributers, in December 2008. It is now advertising a fake Spybot Search & Destroy, fake security scans and various malware downloads. The new Spywareinfo malware removal forum is located at: http://www.spywareinfoforum.com/

Note for Firefox users who saved links to the old spywareinfo website:
It has recently (Feb/09) been reported that in some versions of Spybot S&D, on some operating systems, if you have a link to the old spywareinfo website, now owned by purveyors of fake anti spyware products and scanners, "fixing" it will erase your entire Bookmarks.html file. This is being looked into right now and hopefully will be fixed real soon. In the meantime, if you use Firefox as your browser (which stores Favorite places as "Bookmarks") and after running a scan Spybot lists an infected bookmark with Spywareinfo as the culprit, uncheck that entry before fixing any other problems. You can manually edit your Firefox Bookmarks to remove the link to that website, or any similar compromised website.

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.2, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.

Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6.2, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 2:38 PM | Permalink

back to top ^

Although I use Firefox as my primary (default) browser and web design test tool, I have kept the latest version of Opera browsers installed as well, just to make sure it renders my layouts correctly. Today, March 3, 2009, I received a security alert that Opera Software, of Norway, had released a security update to the Opera Browser. This was in response to a vulnerability reported on CERT, on March 3, 2009. The new version is number 9.64. Like I usually do, I downloaded the new version, ran the setup file as an Administrator (using Run As), from my XP Professional Power User account and upgraded from the previous version (9.63). When Opera opened everything looked fine and I closed it and went on about my business, working with html files I was editing.

Begin Rant:

I was about an hour later, still logged into my Power User account, that I went to the still open directory where these .html files live and double clicked on one, expecting it to open in Firefox, which is my default browser. Instead, to my surprise, it opened in Opera! I had not made any changes in the setup of Opera. I told the program to perform an Upgrade installation, just like the previous versions had been. None of them ever stole my default browser association and few even asked about being made the default browser. This is something new and as it turned out, slightly difficult and aggravating to resolve.

When I found that Firefox was not opening .html files any more I checked its options to see if it was still the "default browser;" which it claimed it was. Had it not been, I would have been able to make it so, using the Check Now button (Tools > Options > Advanced > System Defaults). But, Firefox thought it still was the default browser, so I tried disassociating .html files within Opera, but nothing changed. About that time I decided switch to my Administrator level account to uninstall Opera and see if it gave back the previous association to Firefox, but no luck. I went into Set Access and Defaults and reset Firefox as the Default browser, which worked in the Admin account, so I logged off it and back into the Power User account. Note, that you cannot change the Program Access and Defaults from a Power User account, only an Administrator level account, in XP.

Back in my Power User account I found that it now associated .html files with Windows Notepad! Every html file I double clicked on opened in Notepad, not Firefox! I decided to do an end run around the Windows File Association defense and right clicked on an html file, in the aforementioned folder, and chose Properties. The Properties sheet showed the html files opened with Notepad and offered a button to Change that. I used the button and chose Firefox to open .html files, clicked Apply and OK. When I tried opening an html file it still wanted to use Notepad, so I restarted the computer. This act alone cures a lot of mess-ups and it fixed this one.

The point of this article isn't just to show my readers how to recover from a browser file type association theft, but also to let Opera Software know that one of their users is pretty #@$%*~ off right now about having to go through all this work to keep a long ago established file type association that their update broke, without any word of warning. Also, it may be a long time before I reinstall an Opera Browser, which I was only using to test website layouts for compatibility anyway.

End Rant

Posted by Wiz at 5:21 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

Spam is still way down from last fall, thanks to the efforts of security companies, who have tirelessly pursued the server colocation facilities used by spammers to command and control spam-sending Botnets and then shut them down or get spam accounts terminated. Those spammers are rebuilding or replacing their Botnets as I type this, so let's not become complacent. In fact, my spam count has been slowly increasing since the third week of January, 2009.

If you use MailWasher Pro you can enable the Blacklist function and add some pattern matching blacklist filters to automatically delete spam messages containing a forged From address matching either of these Regular Expressions: lin+met@+.de and kef+diz@+, in MailWasher Pro. These two blacklist rules caught over 22% of this week's spam. The interesting fact about those two rules is that the same forged domain name prefix is used on both sides of the @ symbol. So, if you see an incoming email with a sender listed as kefsomedomaindiz@somedomain.com it will match that rule.

MailWasher Pro spam category breakdown for Feb 23 - Mar 1, 2009. Spam amounted to 18% of my incoming email this week. This represents a 2% increase from last week. The Botnets are coming back to life.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the sometimes huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft/Windows Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 3:48 PM | Permalink

back to top ^